.

What time was the Out Of Office added/changed?

<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Mon Jul 27, 2009 5:17 pm

What time was the Out Of Office added/changed?

Hi Guy's,

Got an interesting on here  thought you'd might like a go at solving.

I have a client that has an employee that skipped work today. Their out of office reply on their system, outlook 2007 on a 2003 sbs server was, was set saying they would not be in until tomorrow !!

They went on vacation on Thursday and should have been back today. They set up the Out of Office (apparently) to say back today.

The question is is there a way of telling when the original out of office was set and if/when it was changed???

Sorry if it sounds lame but it may be something you have done in the past?

Cheers.

Dav
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Jul 27, 2009 6:27 pm

Re: What time was the Out Of Office added/changed?

I believe you can determine this using MAPI properties in the Microsoft Exchange Information store.   Out Of Office Assistant is simply a mailbox rule that is located in the User's mailbox.   The rule is actually a hidden message.  You cannot see any of this in Outlook or the Exchange client.  

Here is what you can do:

1. Download Microsoft Exchange MAPI Editor from the following location.  This is a Microsoft maintained tool for editing MAPI properties in various types of MAPI stores, including the Exchange Information Store.

http://mfcmapi.codeplex.com/

2.  Connect the MAPI Editor to the Exchange server that contains the mailbox with the Out Of Office rule.  You would do this by going to the Session menu, and choosing Logon and Dispay Store Table.

I always do this with an Exchange admin account.  I have to modify the account to have Send As and Receive As rights on the mailbox in question.  The mailbox you choose in the profile creation wizard should be the mailbox you want to analyze.  I also run this directly from the Exchange server.

After you connect, you should have the mailbox and public folders for the custodian in question listed in the top pane.

3.  Double-click the Mailbox - Custodian Name in the top pane to open the Mailbox Root Container.

4.  Expand the Root Container down to Inbox.   Inbox is under Top of Information Store.

5.  Right-click the Inbox and choose Open Associated Contents Table.   This table should contain the hidden messages in the Inbox.

6.  Find the Out of Office Assistant rule in the top pane and click on it (single click).

7.  In the bottom pane, you should have the following MAPI properties:

PR_CREATION_TIME
PR_LAST_MODIFICATION_TIME
PR_LOCAL_COMMIT_TIME

You may have some others.  If you are on an Outlook 2007 MAPI system, these properties will be a little different.   PR_CREATION_TIME becomes PidTagCreationTime, for example.

Unfortunately, this is hardly a forensic process, since it must be done on the live system.  You can attempt to restore a backup or an image of the Exchange server, but that's quite a bit of work.

<edit> I haven't tried this this with a PST file, but I would assume the procedure could work.  The PST would have to be a complete export, including system data.  </edit>

Hope this helps.
Last edited by Ketchup on Mon Jul 27, 2009 8:13 pm, edited 1 time in total.
~~~~~~~~~~~~~~
Ketchup
<<

Dav_Id

Newbie
Newbie

Posts: 12

Joined: Fri Jul 17, 2009 1:27 pm

Post Tue Jul 28, 2009 1:43 am

Re: What time was the Out Of Office added/changed?

:) :) :)

I Ketchup,

You are a Geeeeeeenius!

Thank you.

I understand it may not be Forensics in the computer forensics sense of the definition but it is a great help.

thank you again.

Dav

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software